If there ever was an epic fail, this is the one: Google missing the presence of the Tekya clicker in 24 Children’s Games and 32 Utility Apps that were available in its Play Store. The alarm was launched by cloud security watchdog Check Point Research, but before they discovered the new threats, they had already been installed on almost 1.7 million devices. One more confirmation that you cannot be too careful when downloading and installing something on your mobile. If you like gaming, rather go to bet-california.com than fiddle around with unverified apps. The findings reported by Check Point Research show that even the mighty Google cannot keep everything under control. Hackers never sleep. VirusTotal and Google Play Protect, in this case, were unable to detect as many as 56 malicious apps.
The Tekya family of malware
The piece of malware discovered in the tainted apps is a receiver that goes by the name ‘us.pyumo.TekyaReceiver’. When an infected app is installed, the receiver is registered and thus enabled to execute a series of actions. Check Point Research has described them as follows:
- ‘BOOT_COMPLETED’ to allow code running at device startup (“cold” startup).
- ‘USER_PRESENT’ in order to detect when the user is actively using the device.
- ‘QUICKBOOT_POWERON’ to allow code running after a device restart.
The code is well hidden. Instead of using Java to implement logic, the authors of Tekya have gone native. In other words, they wrote the app in C and C++. While Java makes it easier for developers to access multiple layers of abstraction, native code is implemented at a much lower level. The consequence is that you cannot decompile the native code as easily as you would do with Java. Native binaries cannot easily be converted back into human-readable source code. This ruse did the trick and enabled the malicious apps to go under the radar, undetected by Google scanner. Once there, they went on to use Android’s “MotionEvent” mechanism to imitate legitimate user actions.
Mobile ad fraud
Tekya apps are just the new kids on the block in a fastly growing “new business” sector: mobile ad fraud, where money can be made quickly through illegal means. Tekya and the likes of it generate fraudulent clicks on ads and banners. That is the objective of executing the actions we have seen above. Agencies like Google’s AdMob, AppLovin’, Facebook and Unity would then count these fake clicks as real. The objective of fraudsters is to steal from advertising budgets. Check Point Research has exposed all the technical details of how Tekia imitates a click via the ‘MotionEvent’ mechanism.
If you run an app infected with a malware app of this type, you will be completely unaware that your mobile is generating fake clicks on ads. And that a scammer somewhere is making money out of it. Tekya is by far not the only example. The well-known antivirus Dr. Web discovered one more bit of malware, named Android.Circle.1. , that was recently downloaded more than 700,000 times hidden in more GooglePlay apps. Android.Circle.1. uses code based on the BeanShell scripting language. A combination of adware and click-fraud functions is the result. As many as 18 modifications of the malware were detected and the bad news is that they could be used to perform phishing attacks.
Some apps containing Android.Circle.1. are Wallpaper Black—Dark Background, Horoscope 2020—Zodiac Horoscope, Sweet Meet, Cartoon Camera, and Bubble Shooter.
Hiding in the forest
Google has obviously removed all the Tekya and Android.Cirle.1 apps, but the struggle to keep up with more and more creations of the kind is a hard one. There are more than three million apps in the PlayStore and hundreds more are published continuously. The giants among antimalware providers are studying the new attackers closely. Malwarebytes was quoted as saying that adware “reigned supreme” in 2019, in its annual report. This holds true for Android devices but also for Macs and Windows PCs. Another big of the antivirus sector, Avast, reported that adware was responsible for 72 percent of all Android malware between October and December 2019.
Here are the suggestions by Check Point Research if you suspect you have an infected device on your mobile:
- Uninstall the infected application from the device
- Install a security solution to prevent future infections
- Update your device Operation System and Applications to the latest version